There is a version of this story that gets told as a product failure. Fortinet ships a firewall. A threat actor breaches hundreds of them. Patch your systems. Enable MFA. Move on.
That version misses the point entirely.
The FortiGate campaign that Amazon Threat Intelligence disclosed in February 2026 was not a story about a vendor's vulnerability. It was a proof of concept for a new category of attacker — one with limited technical skills, commercially available AI tools, and the patience to let automation do what expertise used to require. The identification of CyberStrikeAI as the platform underlying that campaign, reported by Team Cymru's Will Thomas on March 3, 2026, adds a second layer: the tool used is open-source, actively maintained, and linked to a developer with traceable ties to China's Ministry of State Security.
This is the story of how an AI-powered attack assembly line was quietly built, deployed, and is now spreading — and what that actually means for every organization still treating perimeter security as a checkbox.
The Tool: CyberStrikeAI and What It Actually Does
CyberStrikeAI was published to GitHub on November 8, 2025, by a developer operating under the alias Ed1s0nZ. Written in Go, the platform describes itself as an "AI-native security testing platform" — a phrase that functions as both a marketing line and a fairly accurate technical description of what distinguishes it from traditional penetration testing toolkits.
Traditional offensive security tools — Metasploit, Nmap, Burp Suite — are powerful, but they require a skilled operator to know when and how to use them, interpret their output, and chain findings into a coherent attack path. CyberStrikeAI changes the equation by inserting a large language model into the orchestration layer. The platform integrates more than 100 security tools spanning the entire kill chain, but the distinguishing feature is what sits above those tools: an AI decision engine compatible with GPT, Claude, and DeepSeek that translates conversational instructions into tool invocations, interprets results, and proposes next steps.
According to CyberStrikeAI's own GitHub repository, the platform covers network scanning (nmap, masscan, rustscan), web and app scanning (sqlmap, nikto, gobuster, ffuf), exploitation (Metasploit, msfvenom, pwntools), post-exploitation (Mimikatz, hashcat, BloodHound), cloud security (prowler, pacu), and binary analysis (Ghidra, radare2). The tool also integrates FOFA and ZoomEye for network space search — capabilities that directly support large-scale internet-facing reconnaissance. Source: github.com/Ed1s0nZ/CyberStrikeAI
The platform communicates with AI models via the Model Context Protocol (MCP), an emerging standard that allows language models to interface directly with external tools and data sources. This is not a gimmick. MCP-native integration means CyberStrikeAI can feed live reconnaissance data into a language model mid-operation, receive a structured attack plan, and automatically execute the suggested commands — all without requiring the operator to do anything beyond issuing an initial objective in plain language.
The dashboard provides a web interface with audit logging, SQLite persistence, and vulnerability management with CRUD operations. There is a mobile integration via DingTalk and Lark chatbots. The platform's changelog, readable on GitHub, shows active development through early 2026: a skills system with 20-plus predefined testing workflows was added January 15, role-based testing on January 11, and OpenAPI documentation with an interactive interface on January 27. This is not an abandoned proof-of-concept. It is a maintained product.
"Through native MCP protocol and AI agents, it enables end-to-end automation from conversational commands to vulnerability discovery, attack-chain analysis, knowledge retrieval, and result visualization — delivering an auditable, traceable, and collaborative testing environment for security teams." — CyberStrikeAI GitHub repository, Ed1s0nZ
The repository's disclaimer states the tool is for "educational and authorized testing purposes only." That disclaimer has done nothing to prevent the operational deployments Team Cymru subsequently documented.
The Developer: Ed1s0nZ and the State-Adjacency Problem
Understanding why CyberStrikeAI represents a threat beyond its technical capabilities requires understanding who built it and the community it was deliberately introduced into.
Security researcher Will Thomas, senior threat intelligence advisor at Team Cymru (alias @BushidoToken), published an analysis on March 3, 2026, concluding that CyberStrikeAI is an "open-source offensive security tool developed by a China-based developer who we assess has some ties to the Chinese government." That assessment is grounded in two documented actions by Ed1s0nZ.
On December 19, 2025, Ed1s0nZ submitted CyberStrikeAI to the Starlink Project maintained by Knownsec 404. Knownsec 404 is a Chinese cybersecurity firm that publicly presents as a private-sector research operation but has documented relationships with both China's Ministry of State Security (MSS) and the People's Liberation Army (PLA). In January 2026, DomainTools published an analysis of a major leak of Knownsec internal documents describing the firm as a "state-aligned cyber contractor" capable of supporting Chinese national security and military objectives, noting that its organizational structure — including a Military Products Division — mirrors a defense integrator whose primary clients include defense research institutes, public security bureaus, and state-owned enterprises. The leaked documents exposed tooling, infrastructure, and operational artifacts consistent with support for offensive intelligence operations.
On January 5, 2026, Ed1s0nZ added a credential to their GitHub profile: a CNNVD Level 2 Contribution Award. The CNNVD — China's National Vulnerability Database of Information Security — is operated by CNITSEC, which falls under MSS oversight. BitSight researchers have documented that the CNNVD systematically delays publishing vulnerabilities with higher CVSS scores, a pattern consistent with a program that stockpiles high-severity vulnerabilities for intelligence use rather than coordinated disclosure. Receiving a formal contribution award from this program is not a casual professional credential.
Ed1s0nZ subsequently removed the CNNVD reference from their GitHub profile. Will Thomas noted this directly: "The developer's recent attempt to scrub references to the CNNVD from their GitHub profile points to an active effort to obscure these state ties, likely to protect the tool's operational viability as its popularity grows." The deletion is itself informative — it suggests awareness of how the credential would be interpreted by Western threat intelligence analysts. Source: Team Cymru report, March 3, 2026.
Ed1s0nZ's other published repositories reinforce the picture. PrivHunterAI uses Kimi, DeepSeek, and GPT to automate privilege escalation vulnerability detection. InfiltrateX is a Golang-based scanner for the same purpose. ChatGPTJailbreak contains prompts designed to bypass OpenAI's safety filters. VigilantEye monitors databases for leaked personal data — Chinese phone numbers and ID card numbers specifically — and routes alerts to a WeChat Work bot, a design choice that suggests operational use within China's domestic intelligence ecosystem rather than generic security research.
Taken together, the profile is consistent with what threat intelligence analysts describe as a "state-adjacent" developer: someone who operates in the private sector but whose work feeds into, and is recognized by, state intelligence programs. The open-source publication of CyberStrikeAI is not inconsistent with this model — making a powerful offensive tool freely available grows its user base, accelerates its development through community contributions (38 open pull requests visible in the repository as of early March 2026), and allows state-linked actors to deploy it with plausible deniability.
The Campaign: How a Low-Skilled Actor Breached 600 Firewalls
The FortiGate campaign that Amazon Threat Intelligence disclosed in February 2026 is the operational context in which CyberStrikeAI was identified in the wild. The two are connected through a single IP address — 212.11.64[.]250 — which Team Cymru identified as running CyberStrikeAI's service banner on port 8080 while simultaneously exhibiting network communications with targeted FortiGate devices.
Amazon's CISO, CJ Moses, characterized the threat actor as financially motivated, Russian-speaking, and having limited technical capabilities. That characterization is important context for everything that follows. This was not a sophisticated nation-state operator with proprietary tooling. This was someone whose technical limitations were systematically compensated for by AI.
Phase 1: Reconnaissance and Initial Access
The campaign ran from January 11 to February 18, 2026. The initial access method required no exploits. The attacker used a Go-based orchestrator called CHECKER2 — a Docker-containerized tool for parallel VPN scanning — to systematically probe FortiGate management interfaces on ports 443, 8443, 10443, and 4443 across the public internet. Operational logs recovered from the attacker's exposed server showed CHECKER2 processing over 2,500 potential targets across more than 100 countries in containerized batches. Once a device was identified with exposed management interfaces, the attacker attempted authentication using commonly reused default and weak credentials. The campaign succeeded wherever organizations had not enforced multi-factor authentication on VPN and administrative accounts.
Phase 2: Configuration Extraction and AI-Assisted Planning
Upon successful authentication, the attacker extracted complete FortiGate device configurations. These files contained SSL-VPN user credentials with recoverable passwords, network topology information, internal routing data, and device configuration details. The extracted configurations were parsed and decrypted using what Amazon assessed to be AI-assisted Python and Go tools — a conclusion supported by code-level forensic indicators including redundant comments that simply restate function names, naive JSON parsing via string matching rather than proper deserialization, and architectural patterns consistent with AI-generated code rather than experienced engineering.
The configurations were then ingested by ARXON, a custom Model Context Protocol server that the attacker built to bridge stolen reconnaissance data and commercial language models. ARXON fed stolen network maps, credentials, and routing data into DeepSeek and Claude to generate structured, step-by-step attack plans. These plans specified how to achieve Domain Administrator access, where to search for additional credentials, recommended exploitation steps, and guidance on lateral movement to other devices on the internal network. The server at 212.11.64[.]250 exposed 1,402 files across 139 subdirectories, including AI prompt history, cached attack plans labeled per victim network, and FortiGate configuration backups organized by target.
According to the independent investigation published by the Cyber and Ramen security blog, the exposed server contained folders labeled "claude" and "claude-0" with task outputs and cached prompts, as well as a .claude settings file that pre-approved autonomous execution of Impacket tools (secretsdump), Metasploit modules, and hashcat — meaning Claude Code was configured to run offensive tools without requiring per-command operator approval. Source: Cyber and Ramen security blog, February 2026; corroborated by BleepingComputer.
Phase 3: Post-Exploitation and Lateral Movement
Following VPN access to victim networks, the attacker conducted Active Directory reconnaissance using BloodHound and deployed credential harvesting tooling. Amazon's analysis confirmed that in verified compromises, the attacker obtained complete domain credential databases. In at least one documented case, the Domain Administrator account used a plaintext password recoverable directly from the FortiGate configuration file — either through direct extraction or password reuse.
Lateral movement techniques included pass-the-hash and pass-the-ticket attacks, NTLM relay attacks using standard poisoning tools, and remote command execution on Windows hosts. The attacker specifically targeted Veeam Backup and Replication servers, deploying PowerShell scripts and compiled decryption tools to extract credentials from backup infrastructure — a pattern consistent with pre-ransomware staging, where destroying or encrypting backup systems ensures victims cannot recover without paying.
"What sets this activity apart is the integration of LLMs: a (likely) single operator managing simultaneous intrusions across multiple countries with analytical support at every stage. Language models only assisted a low-to-average skilled actor in removing the number of targets one person can work at any given time." — Anonymous researcher, Cyber and Ramen security blog
The operational security failure that exposed all of this was the attacker's own server being misconfigured — leaving the directory publicly accessible. Amazon discovered it through routine threat intelligence operations. The attacker's inadvertent transparency provided a complete window into a methodology that, had it remained hidden, would have been nearly impossible to reconstruct.
The Broader Implications: This Is Not an Isolated Event
The instinct to treat the FortiGate campaign as a one-time incident misreads the signals. Team Cymru observed 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026 — servers primarily in China, Singapore, and Hong Kong, with additional infrastructure in the United States, Japan, and Switzerland. The tool was published in November 2025 and saw minimal activity through December. The sharp acceleration in January 2026 tracks directly with Ed1s0nZ's submission to Knownsec 404's Starlink Project in December 2025, which exposed the tool to the Chinese offensive security community.
The FortiGate campaign itself evolved over time. The Cyber and Ramen investigation noted that the attacker initially used an open-source HexStrike MCP framework and, approximately eight weeks later, migrated to the customized ARXON system. This is the behavior of someone actively improving their tradecraft — not a static threat actor running a canned playbook.
Meanwhile, the broader trend runs in the same direction. Google's Threat Intelligence Group published its AI Threat Tracker report in February 2026, documenting that nation-state actors from China (APT31, APT41, UNC795), Iran (APT42), North Korea (UNC2970), and Russia are actively using Gemini across all stages of cyberattacks — reconnaissance, phishing lure creation, vulnerability analysis, and command-and-control development. The report specifically noted that APT31 used Gemini alongside HexStrike MCP tooling — the same open-source MCP framework this campaign initially used before migrating to ARXON. Amazon's assessment of the FortiGate campaign explicitly frames AI as a force multiplier that enables unskilled actors to operate at the scale and sophistication previously requiring experienced teams.
"As adversaries increasingly embrace AI-native orchestration engines, we expect to see a rise in automated, AI-driven targeting of vulnerable edge devices, similar to the observed reconnaissance and targeting of Fortinet FortiGate appliances." — Will Thomas (BushidoToken), Team Cymru, March 3, 2026
The uncomfortable reality this campaign demonstrates is that the security fundamentals that matter most — not exposing management interfaces to the internet, enforcing MFA, maintaining credential hygiene, isolating backup infrastructure — are exactly the controls that many organizations still treat as aspirational rather than operational. AI did not create those gaps. It industrialized exploiting them.
CISA added CVE-2026-24858 (Fortinet FortiCloud SSO Authentication Bypass, CVSS 9.4) to its Known Exploited Vulnerabilities catalog following active zero-day exploitation. The vulnerability allows an attacker with any valid FortiCloud account and a registered device to authenticate to other customers' devices if FortiCloud SSO is enabled on the target — a cross-tenant authentication flaw, not a bypass of default settings. FortiCloud SSO is not enabled in factory defaults but is automatically activated during device registration via the FortiCare GUI unless explicitly disabled. Fortinet temporarily disabled FortiCloud SSO on January 26, 2026, re-enabled it on January 27 with restrictions blocking vulnerable versions, and has since released patches and updated detection signatures. Federal agencies were directed to patch under mandatory KEV timelines (deadline: January 30, 2026). All organizations running FortiGate appliances with FortiCloud SSO enabled should treat this as an active threat requiring immediate remediation.
What You Should Actually Do
The defensive recommendations that follow are not novel. They are the same fundamentals that appear in every post-incident analysis and get skipped in every budget cycle. What is different is the urgency: AI-augmented platforms like CyberStrikeAI mean that failing to implement them exposes organizations not just to skilled adversaries, but to any threat actor who can clone a GitHub repository.
- Remove FortiGate management interfaces from the public internet immediately. If remote administration is required, restrict access to known IP ranges through a bastion host or out-of-band management network. The campaign's initial access relied entirely on management interfaces being internet-accessible. This is a configuration choice, not a product defect.
- Enforce multi-factor authentication on every administrative and VPN account. Single-factor authentication on VPN accounts was the critical gap this campaign exploited at scale. CHECKER2 processed thousands of targets precisely because credential brute-forcing works when MFA is absent. There is no compensating control that substitutes for MFA here.
- Rotate all SSL-VPN user credentials and ensure VPN passwords do not duplicate Active Directory passwords. The attacker extracted recoverable passwords directly from FortiGate configuration files. Password reuse between FortiGate VPN accounts and domain accounts was the pathway to Active Directory compromise in confirmed cases.
- Isolate and harden Veeam Backup and Replication infrastructure. The attacker specifically targeted backup servers as a ransomware prerequisite. Backup systems should have separate credentials, network-level isolation from production environments, and immutable storage configurations that prevent modification or deletion by compromised domain accounts.
- Monitor NetFlow and port scan data for CyberStrikeAI service banners on port 8080. Block the known malicious IP
212.11.64[.]250and associated infrastructure. Query SIEM data for inbound and outbound connections to known CyberStrikeAI nodes. Implement behavioral detection for anomalous VPN logins and DCSync activity. - Apply patches for CVE-2026-24858 (Fortinet FortiCloud SSO Authentication Bypass, CVSS 9.4) if FortiCloud SSO is or has been enabled. This vulnerability was added to CISA's KEV catalog following active zero-day exploitation. It is not triggered by default configurations, but is enabled during FortiCare device registration via the GUI unless explicitly toggled off. Organizations that have never registered a FortiGate device through FortiCare and have confirmed FortiCloud SSO is disabled are not directly affected — but should verify. All others should patch immediately and audit logs for the known malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) associated with documented exploitation.
Amazon's CJ Moses framed the defensive posture clearly in the company's February 2026 disclosure: the campaign succeeded through exposed management ports and weak credentials with single-factor authentication — fundamental security gaps that AI helped an unsophisticated actor exploit at scale. Strong defensive fundamentals, Moses wrote, remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators.
The emergence of CyberStrikeAI as a widely adopted, actively maintained, state-adjacent offensive platform is a marker. It signals that AI-native attack tooling is no longer a research curiosity or a capability exclusive to well-resourced nation-state operators. It is open-source, continuously developed, and available to anyone. The organizations that will weather this shift are the ones that stopped treating the basics as optional.
The assembly line is running. The question is whether your perimeter is the next thing coming off it.
Sources
- Google Threat Intelligence Group — GTIG AI Threat Tracker: Distillation, Experimentation, and Integration of AI for Adversarial Use, February 2026
- Will Thomas (BushidoToken), Team Cymru — Tracking CyberStrikeAI: AI-Native Offensive Tools & MSS Ties, Team Cymru, March 3, 2026
- Will Thomas (BushidoToken), Team Cymru — CyberStrikeAI Tool Adopted by Hackers for AI-Powered Attacks, BleepingComputer, March 3, 2026
- CJ Moses, CISO Amazon Integrated Security — AI-Augmented Threat Actor Accesses FortiGate Devices at Scale, AWS Security Blog, February 2026
- The Hacker News — Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries, March 4, 2026
- Cyber and Ramen — Independent technical analysis of the FortiGate AI campaign infrastructure, February 2026
- Ed1s0nZ — CyberStrikeAI GitHub Repository
- CISA — Fortinet Releases Guidance to Address Ongoing Exploitation of CVE-2026-24858, January 28, 2026
- BitSight — Analysis of CNNVD vulnerability disclosure delay patterns
- DomainTools — The Knownsec Leak: Analysis of China's Contractor-Driven Cyber Espionage Ecosystem, January 2026
- Cyberwarzone — CyberStrikeAI: Chinese-Linked AI Attack Platform, March 3, 2026